The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Whats your take on this Spammer?

Discussion in 'General Discussion' started by trout21, Nov 14, 2006.

  1. trout21

    trout21 Well-Known Member

    Joined:
    Apr 2, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I have searched around in the forums and have done everything that I found that I hadn't thought of; followed Chirpys guide to tracking down a spammer especially; re-compiled apache with phpsuexec to see if it was a rouge script - I can't find any evidence in the logs pointing to anything ...

    Code:
    [SIZE="4"]2006-11-14 04:37:50 H=(he108war.uk.vianw.net) [195.102.244.139] F=<> rejected RCPT <cordagecohosh@mydomain.com>: 
    2006-11-14 04:39:05 H=(mta427.mail.mud.yahoo.com) [209.191.88.166] F=<> rejected RCPT <cliffhangbackboard@mydomain.com>: 
    2006-11-14 04:39:45 H=(c-68-37-22-212.hsd1.de.comcast.net) [68.37.22.212] sender verify defer for <eugkwolppp@oregonweb.com>: host lookup did not complete
    2006-11-14 04:39:45 unexpected disconnection while reading SMTP command from (c-68-37-22-212.hsd1.de.comcast.net) [68.37.22.212]
    2006-11-14 04:40:03 H=(MailMarshall.sparcc.org) [208.108.208.15] F=<> rejected RCPT <animadversionarctic@mydomain.com>: 
    2006-11-14 04:40:21 H=(mail.winninggifts.com) [207.159.143.98] sender verify fail for <postmaster@mail.winninggifts.com>: response to "MAIL FROM:<>" from mail.winninggifts.com [207.159.143.98] was: 501 bogus mail from
    2006-11-14 04:40:21 H=(mail.winninggifts.com) [207.159.143.98] F=<postmaster@mail.winninggifts.com> rejected RCPT <audiotapecloak@mydomain.com>: Sender verify failed
    2006-11-14 04:40:21 unexpected disconnection while reading SMTP command from (mail.winninggifts.com) [207.159.143.98]
    2006-11-14 04:41:22 H=(mailx.hoster.ru) [195.128.50.36] F=<> rejected RCPT <churchillianconduit@mydomain.com>: 
    2006-11-14 04:41:35 H=(smtp-outbound2.host.net) [64.135.6.8] F=<postmaster@host.net> rejected RCPT <confrontationdiocese@mydomain.com>: 
    2006-11-14 04:41:35 unexpected disconnection while reading SMTP command from (smtp-outbound2.host.net) [64.135.6.8]
    2006-11-14 04:41:55 H=(mccoy.izr.com) [195.26.37.7] sender verify defer for <www-data@mccoy.izr.com>: could not connect to mccoy.izr.com [195.26.37.7]: Connection refused
    2006-11-14 04:41:55 H=(mccoy.izr.com) [195.26.37.7] F=<www-data@mccoy.izr.com> temporarily rejected RCPT <cecil@thecameracentre.net>: Could not complete sender verify callout
    2006-11-14 04:42:44 H=(141179312) [216.57.173.162] sender verify fail for <ham@glasshouses.com>: response to "MAIL FROM:<>" from eforward2.name-services.com [216.52.184.242] was: 551 invalid address
    2006-11-14 04:42:44 H=(141179312) [216.57.173.162] F=<ham@glasshouses.com> rejected RCPT <sean@appliancerescue.co.uk>: Sender verify failed
    2006-11-14 04:42:44 unexpected disconnection while reading SMTP command from (141179312) [216.57.173.162]
    2006-11-14 04:43:28 H=(spiexch.spi-intranet.com) [67.104.79.98] F=<> rejected RCPT <coalitionaltar@mydomain.com>: 
    2006-11-14 04:44:12 H=([219.131.233.159]) [219.131.237.118] sender verify defer for <iybiuapi@owenton.actaris.com>: Could not complete sender verify callout
    2006-11-14 04:44:12 unexpected disconnection while reading SMTP command from ([219.131.233.159]) [219.131.237.118]
    2006-11-14 04:44:31 H=(gorge) [221.208.141.100] sender verify fail for <GerryySsoothsayer@kingfeatures.com>: response to "RCPT TO:<GerryySsoothsayer@kingfeatures.com>" from mailhost.kingfeatures.com [69.44.168.240] was: 550 GerryySsoothsayer@kingfeatures.com unknown user account
    2006-11-14 04:44:31 H=(gorge) [221.208.141.100] F=<GerryySsoothsayer@kingfeatures.com> rejected RCPT <liam@nortago.com>: Sender verify failed
    2006-11-14 04:44:34 H=(mail.doheny.com) [67.52.56.50] F=<> rejected RCPT <buckshotalbanian@mydomain.com>: 
    2006-11-14 04:45:02 H=(mccoy.izr.com) [195.26.37.7] sender verify defer for <www-data@mccoy.izr.com>: could not connect to mccoy.izr.com [195.26.37.7]: Connection refused
    2006-11-14 04:45:07 H=(exs1.whitereasor.com) [71.16.201.142] F=<> rejected RCPT <collierbinge@mydomain.com>: 
    2006-11-14 04:45:11 1GjqAZ-0007fF-Cq <= clulc@amkor.com H=(81-208-83-236.fastres.net) [81.208.83.236] P=esmtp S=4380 id=458501956.29670367862997@thebat.net T="save up to 70% on the medications for your need"
    2006-11-14 04:45:14 1GjqAZ-0007fF-Cq Completed
    2006-11-14 04:46:07 H=(DERUSAHPR006.eds.de) [192.85.16.85] F=<> rejected RCPT <brennerbarth@mydomain.com>: 
    2006-11-14 04:46:34 H=(host01.frontechost.com) [216.246.45.85] F=<> rejected RCPT <birdlikeabigail@mydomain.com>: 
    2006-11-14 04:46:43 H=(mail.delta.com.ba) [195.222.45.22] F=<> rejected RCPT <dandelionalumni@mydomain.com>: 
    2006-11-14 04:47:12 H=(mx6.pacifier.net) [64.255.237.186] F=<> rejected RCPT <corbettadenosine@mydomain.com>: 
    2006-11-14 04:47:25 H=(wip-ectls-mx1.wipro.com) [203.91.193.21] F=<> rejected RCPT <detailamorous@mydomain.com>: 
    2006-11-14 04:48:18 H=(dmi-web01.demandsolutions.com) [63.246.20.75] F=<> rejected RCPT <aristocratbohr@mydomain.com>: [/SIZE]
    
    Note I have replaced my domain with mydomain.com.

    Is there anything else that I can try to track this down? exim_mainlog is just filling non-stop with these sorts of entries!! The F=<> rejected RCPT is only now there as I am only now using :fail: to rid myself of these emails.

    Thank you for any assistance in this matter.
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The above is not comming from your server .
    We get dozens of these a day. If you see you have loads from the same IP address, then install Chirpys "Dictionary attack" script;
    http://www.configserver.com/free/eximdeny.html
     
  3. trout21

    trout21 Well-Known Member

    Joined:
    Apr 2, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the reply. I was needing a second opinion on the very thing you commented on.

    I've now put in place the exim_deny script and am scouring through the logs again.

    I'm pretty dejected about this! Don't particularly want my domain being used to spam... even if it's a forged header!! :mad:
     
Loading...

Share This Page